Investigating with Splunk
In this TryHackMe room, SOC Analyst Johny has observed some anomalous behaviors in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.
Splunk
Splunk is an American software company based in San Francisco, California that provides the ability to collect, analyze, and correlate network and machine logs in real time.
Lab Questions:
How many events were collected and Ingested in the index main?
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
Examine the logs and identify the user that the adversary was trying to impersonate.
What is the command used to add a backdoor user from a remote computer?
How many times was the login attempt from the backdoor user observed during the investigation?
What is the name of the infected host on which suspicious PowerShell commands were executed?
PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
An encoded Powershell script from the infected host initiated a web request. What is the full URL?
How many events were collected and Ingested in the index main?
To find this, we need to type in index=”main” into the search. (make sure that the search is set to “All time"“).
The answer is shown above. 12256
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
Because the adversary was successful in creating a backdoor, there must be an event somewhere that logged the creation. It’s safe to assume that the adversary created only one user, so we need to look for an event that happened only once. To do this we should look for “rare” EventID’s. The search will be: index=main | rare limit=20 EventID.
The generated event describes that a new account named “A1berto” was created. Therefore, the answer has to be Alberto
There are multiple event IDs with the one count. In order to go into more detail, let’s google for the specific event ID we want.
After further research, I found that a user being created in Active Directory generates a 4720 event ID. Looking at the logs, there is an event with the event ID 4720! Let’s select it.
On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
Based on the earlier image, we see the updated username is A1berto. Let’s search for the new backdoor user. index=main A1berto
We’re looking for a message stating something about a registry key being changed. Let’s navigate through the log to find it.
You should eventually find it after scrolling for a little. In the “Message” box, it states, “Registry object added or deleted” which signifies a modified registry key. The pull path of the registry key shows in the “TargetObject” message: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto
Examine the logs and identify the user that the adversary was trying to impersonate.
What is the command used to add a backdoor user from a remote computer?
Since the question asks for the "command," we can infer that the adversary accomplished something via backdoor. Therefore, let’s look for the field “CommandLine” and see if there is something interesting there.
After researching the event, I noticed that the Hostname was James.browne. In the event it states that he spawned powershell.exe which then the attacker used to type in the command. This may be important later.
Answer: C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1
There is one specific value that seems malicious and out of place. The adversary created the fake account “A1berto” so we know that this wasn’t a command from anyone inside of the organization.
How many times was the login attempt from the backdoor user observed during the investigation?
The Windows event ID for “Logon” is 4624. Therefore, let’s create a search with the eventID and the username A1berto. index=main EventID=4624 A1berto
The search is showing 0. That’s strange… Let's exclude Alberto from the search in case the syntax was wrong.
Now the search is showing 26 events! Still a little strange that "“A1berto” didn’t work, even though it’s a valid search. Let’s double check and look through the logs and see if we find anything related to A1berto. A quick way to do this is to just hit “Ctrl + F” to open the find tool then type in the adversaries name.
Firefox is showing 0 results for A1berto. Therefore, the answer must be 0
What is the name of the infected host on which suspicious PowerShell commands were executed?
Remember the PowerShell script that was ran to create a new password for A1berto? We’ve already found the host! It’s James.Browne!
PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
The event ID for a PowerShell execution is 4103. Event ID 4104 contains the contents of the script. Therefore, we want to search for eventID 4103. index=main EventID="4103"
There are 79 events.
An encoded PowerShell script from the infected host initiated a web request. What is the full URL?
Since the PowerShell script ran, we should be able to view the URL in plaintext that was used. Let’s continue to use the same search.
Again, this was an executed PowerShell script; therefore, it had to be some sort of payload. Let's create a search to include the Payload information in a clearer way.
According to the search, there were 10 different payloads executed in PowerShell. The fourth event stands out the most. The question is asking about a web-request, but these aren’t domains, they are paths. Therefore, we need to find the actual domain.
After further digging, the domain does not show up anywhere in relation to James.Browne and A1berto. When searching for James.Browne, there are several domains that show up, but it would take forever to look for them. Therefore, let’s rethink our process.
Here’s what we know:
The domain was executed through a PowerShell payload
James.Browne was the host
During this information, let’s actually search for EVERY domain, while also searching for the hostname James.Browne and PowerShell. Here’s the search: DestAddress="*" OR domain="*" PowerShell | search Hostname="James.browne"
We have two events! Let’s read through them.
Both events show the same thing! The reason why we couldn’t find anything was because the URL was blocked. At least we have the destination IP address now.
The destination IP address used one of the paths in their web request. The logs do correlate to which. Therefore, let’s just try all 3 until we get the answer. (Remember to defang the URL(s).)
hxxp[://]10[.]10[.]10[.]5/news[.]php
